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CVE CVE-2022-26528 

Title Realtek Linux/Android Bluetooth Mesh SDK — An Out-of-bound 
Write Due to SegO > SegN in Mesh Transport Layer 

Description | In Realtek Android Bluetooth Mesh SDK, an out-of-bound write 
vulnerability can be triggered by sending a series of segmented 
packets with SegO > SegN. SegO is a lower transport layer field that 
indicates the segment offset number. SegN is a lower transport layer 
field that indicates the last segment number. When received first 
segmented packet, Realtek Android Bluetooth Mesh SDK will allocate 
a buffer to cache the remaining segmented packets. The size of buffer 
is (SegN + 1) * single payload_size, w gN is parsed from the 
first segmented packet, and single _payloa or 12, depending 
on the type of packet. The mesh SD fase ontinues to receive the 
remaining segmented packets, copi Wha into the allocated buffer, 
where the destination addr : pbuffer + SegO * 
single _payload_size. The mes s not check whether SegO <= 
SegN when caching packéts>Si he buffer size is (SegN + 1) * 
single payload _size, if gN, an out-of-bound write will 
occur. 

Severity Medium 

CVSSv3 Base score 
CVSS:3.1/A sH/PR:N/UI:N/S:U/C:N/LN/A:H/E:U/RL:O/RC:C 

Vulnerability | Denial of Ser 

Type 

CWE CWE-120 : Buffer Copy without Checking Size of Input (‘Classic 
Buffer Overflow') The program copies an input buffer to an output 
buffer without verifying that the size of the input buffer is less than the 
size of the output buffer, leading to a buffer overflow. 

Affected 8723DS,8821CS, 8723FS 

Chipsets 

Affected Older than Mesh SDK v4.17-4.17-20220127 

Software 

Versions 
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